This is my suggestion for the commit message:
--
This commit fixes two separate issues which are closely linked.
First, a 2.5 client cannot connect to a server which does not support
NCP and is not using one of the default --data-ciphers (AES-*-GCM).
This is because the 2.5 client does not use its configured
--data-ciphers cipher.
Fix a 2.5 client to use the configured --data-ciphers cipher.
Second, do not allow the 2.5 client to use --data-ciphers-fallback in
the above situation because that is not it's intended use.
Fix -data-ciphers-fallback to only be used when there is no OCC cipher.
--
I wanted to get rid of the idea of fallback in the first part of the
message because it is not "falling-back" to the --data-ciphers cipher.
It is actually not recognising that it is configured with the correct
cipher at all.
And the second part is the *only* case in which a "fallback" is required
and allowed.
The original message reads as if the opposite were true and using
--data-ciphers-fallback can be used in any situation other than no OCC
cipher.
This is only a suggestion to help clarify the commit. Reword it how you
see fit.
On 14/08/2020 19:50, tincanteksup wrote:
Hi,
I tested this patch and it does make --data-ciphers and
--data-ciphers-fallback behave in their intended "fashion".
Unfortunately, the commit message is grammatically incorrect and also
logically misleading.
The intended fashion is for --data-ciphers to recognise that the correct
cipher *has* been chosen and use it accordingly.
And for --data-ciphers-fallback to *not*
be used in situations other than no OCC cipher.
Reported-by: Richard Bonhomme <tincantek...@gmail.com>
Tested-by: Richard Bonhomme <tincantek...@gmail.com>
On 14/08/2020 09:06, Arne Schwabe wrote:
OpenVPN 2.5 clients do not correctly do a fallback to the server server.
This commit fixes that logic and also fixes --data-ciphers-fallback to
be used in situations other than no OCC cipher.
To reproduce the error use a client with only --data-ciphers set against
a server without NCP.
OPTIONS ERROR: failed to negotiate cipher with server.
Add the server's cipher ('AES-256-CBC') to --data-ciphers
(currently 'AES-256-CBC') if you want to connect to this server.
Reported by: Richard Bonhomme <tincantek...@gmail.com>
Signed-off-by: Arne Schwabe <a...@rfc2549.org>
---
src/openvpn/ssl_ncp.c | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
diff --git a/src/openvpn/ssl_ncp.c b/src/openvpn/ssl_ncp.c
index f522b8f0..c9ab85ce 100644
--- a/src/openvpn/ssl_ncp.c
+++ b/src/openvpn/ssl_ncp.c
@@ -296,13 +296,14 @@ check_pull_client_ncp(struct context *c, const
int found)
}
/* If the server did not push a --cipher, we will switch to the
* remote cipher if it is in our ncp-ciphers list */
- bool useremotecipher = tls_poor_mans_ncp(&c->options,
-
c->c2.tls_multi->remote_ciphername);
-
+ if(tls_poor_mans_ncp(&c->options,
c->c2.tls_multi->remote_ciphername))
+ {
+ return true;
+ }
/* We could not figure out the peer's cipher but we have fallback
* enabled */
- if (!useremotecipher && c->options.enable_ncp_fallback)
+ if (!c->c2.tls_multi->remote_ciphername &&
c->options.enable_ncp_fallback)
{
return true;
}
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
